I have a few questions around your question:
When you state: "user logs into the network (example: Domain Controller)" are they logging into a server that has the Agent installed locally on the system?
Does part of "esculates privileges" a separate item of interest, or are you only looking for port scans by users with esculated privileges?
Is the port scan on the local system they logged into, such as the Domain Controller you mention as an example? Or is the port scan on another system that has / doesnt have the Agent installed, or possibly just a port scan on the VLAN / the network?
There is a built in "Port Scan" Rule (that needs alittle tweeking) in the default rule set. Is this not detecting whatever you are trying to accomplish?